🚀 Launch Week Day 4:Introducing the Alert Details Page: A Better Way to Explore Alerts.Learn More →
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

fix-react2shell-next

Package Overview
Dependencies
Maintainers
1
Versions
18
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

fix-react2shell-next

Fix the React 2 Shell vulnerability (CVE-2025-66478) in Next.js apps with one command

Source
npmnpm
Version
1.1.0
Version published
Weekly downloads
88K
-22.48%
Maintainers
1
Weekly downloads
 
Created
Source

fix-react2shell-next

fix-react2shell-next

One command to fix CVE-2025-66478 (React 2 Shell RCE) in your Next.js / React RSC app.

npx fix-react2shell-next

Deterministic version bumps per the official advisories.

What it does

  • Recursively scans all package.json files (handles monorepos)
  • Checks for vulnerable versions of:
    • next
    • react-server-dom-webpack
    • react-server-dom-parcel
    • react-server-dom-turbopack
  • Patches to the correct fixed version based on your current version
  • Refreshes your lockfile with the detected package manager

Affected Versions

Next.js

Current VersionPatched Version
15.0.0 – 15.0.415.0.5
15.1.0 – 15.1.815.1.9
15.2.0 – 15.2.515.2.6
15.3.0 – 15.3.515.3.6
15.4.0 – 15.4.715.4.8
15.5.0 – 15.5.615.5.7
16.0.0 – 16.0.616.0.7
15.x canaries15.6.0-canary.58
16.x canaries16.1.0-canary.12
14.3.0-canary.77+Downgrade to 14.3.0-canary.76 or upgrade to 15.0.5

React RSC Packages

Current VersionPatched Version
19.0.019.0.1
19.1.0, 19.1.119.1.2
19.2.019.2.1

Usage

Check & Fix (Interactive)

npx fix-react2shell-next

Auto-fix (CI / Non-interactive)

npx fix-react2shell-next --fix

Check Only (Dry Run)

npx fix-react2shell-next --dry-run

JSON Output (for scripting)

npx fix-react2shell-next --json

Example Output

🔍 fix-react2shell-next - CVE-2025-66478 vulnerability scanner

đź“‚ Found 3 package.json file(s)

🚨 Found 2 vulnerable file(s):

  đź“„ package.json
     next: ^15.1.0 → 15.1.9

  đź“„ apps/web/package.json
     next: ^15.4.3 → 15.4.8
     react-server-dom-webpack: 19.1.0 → 19.1.2

🔧 Apply fixes? [Y/n] y

🔧 Applying fixes...

   âś“ Updated package.json
   âś“ Updated apps/web/package.json

📦 Package manager: pnpm
🔄 Refreshing lockfile...

$ pnpm install

âś… Patches applied!
   Remember to test your app and commit the changes.

Monorepo Support

The tool automatically finds all package.json files in your project, excluding:

  • node_modules
  • .next, .turbo, .vercel, .nuxt
  • dist, build, .output
  • coverage

Works with npm, yarn, pnpm, and bun workspaces.

References

License

MIT

Keywords

nextjs
react
security
vulnerability
cve
rce

FAQs

Package last updated on 11 Dec 2025

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

curl Shuts Down Bug Bounty Program After Flood of AI Slop Reports

Security News

curl Shuts Down Bug Bounty Program After Flood of AI Slop Reports

A surge of AI-generated vulnerability reports has pushed open source maintainers to rethink bug bounties and tighten security disclosure processes.

By Sarah Gooding  -  Jan 23, 2026
Introducing Immutable Scans

Product

Introducing Immutable Scans

Scan results now load faster and remain consistent over time, with stable URLs and on-demand rescans for fresh security data.

By Nolan Lawson  -  Jan 23, 2026